top of page

Understanding the CARVER Methodology: Assessing Vulnerabilities Effectively

The CARVER method is used when conducting Risk, Threat, and Vulnerability Assessments. Whether it's a physical threat or a cyber threat this system is often used to conduct an assessment through the eyes of an attacker. Developing awareness by building target vulnerabilities from an attackers point of view is one of the best ways to build a defense. Nothing is more beneficial for an attacker than exploiting vulnerabilities to a target.

The C.A.R.V.E.R. method is a tool that has been adapted to use by the military, law enforcement, information security, and corporate sectors. By conducting a CARVER assessment to determine vulnerabilities you can focus on defending and protecting key vulnerabilities.

CARVER is an acronym used to evaluate the attractiveness of a target. Listed below are the six attributes within CARVER:

  1. Criticality- This is a measurement to determine how critical an infrastructure is. If a target is attacked what are the ramifications to the target. Will there be a financial loss? Perhaps there will be a draining of resources. Will the attack cause reputational damage? To an attacker these and more may be key reasons to attack in the first place.

  2. Accessibility- Can the target be easily accessible? If a target is fortified by people, or structure quality, access or entry controls, or other protective measures this may be enough to thwart an attack but you must know the vulnerabilities of a target and the various means in which a target can be attacked.

  3. Recuperability- How easy is it to recover from an attack? This is big in the eyes of an attacker as they may want their attack to cause devastating hardship. A fear to rebuild after an attack is a win for the attacker. This is a mindset game that should be considered when conducting an assessment.

  4. Vulnerability- How easy will it be to attack the target? Whether it's a celebrity, a building, an event, or computer data learn to exploit vulnerabilities so a conversation can be had and protective measures can be taken.

  5. Effect- What is the direct loss? If a CEO was to die in an attack who would take their place and make decisions. If the loss is financial what does the insurance cover in that situation? The Effect and Recuperability should work like best friends or teammates taking care of one another.

  6. Recognizability- How easy is it for the attacker to recognize their target? It might not be as simple as one might think. Targeting a building without knowing where the damage should be focused can be an error for the attacker. How do you deceive the attacker so that even if an attack occurs their is minimal damage?

Understanding the attacker mindset is not often encouraged by society but as threat assessment professionals it is a must to help identify vulnerabilities so there is a successful defense with minimum to no loss. The understanding is the most useful part in building a defense. Learning how an attacker thinks and plans will broaden your knowledge. This awareness and understanding is needed to avoid being a target of an attack.

Semper tutum semper vigilans


bottom of page